Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 43ce2c86a89a512e3c9361b40155db8bbef3f441^! / .
commit43ce2c86a89a512e3c9361b40155db8bbef3f441[log] [tgz]
authorBen Lindstrom <mouring@eviladmin.org>Thu Jul 04 00:17:33 2002 +0000
committerBen Lindstrom <mouring@eviladmin.org>Thu Jul 04 00:17:33 2002 +0000
treeebbfbba5ed85155906c280a230943ccb306e8c48
parent343010ad503ee040528d95b10d6cc4d0bde6c303 [diff]
   - markus@cvs.openbsd.org 2002/07/03 09:55:38
     [ssh-keysign.c]
     use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
     in order to avoid a possible Kocher timing attack pointed out by Charles
     Hannum; ok provos@

diff --git a/ChangeLog b/ChangeLog
index ed21152..03d11bb 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -45,6 +45,11 @@
      [sshconnect2.c]
      for compression=yes, we fallback to no-compression if the server does
      not support compression, vice versa for compression=no. ok mouring@
+   - markus@cvs.openbsd.org 2002/07/03 09:55:38
+     [ssh-keysign.c]
+     use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
+     in order to avoid a possible Kocher timing attack pointed out by Charles
+     Hannum; ok provos@
 
 20020702
  - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & 
@@ -1253,4 +1258,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2327 2002/07/04 00:16:25 mouring Exp $
+$Id: ChangeLog,v 1.2328 2002/07/04 00:17:33 mouring Exp $

diff --git a/ssh-keysign.c b/ssh-keysign.c
index 6a43568..bed2b98 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c

@@ -22,9 +22,11 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.5 2002/06/26 22:27:32 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.6 2002/07/03 09:55:38 markus Exp $");
 
 #include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
 
 #include "log.h"
 #include "key.h"
@@ -140,6 +142,7 @@
 	u_char *signature, *data;
 	char *host;
 	u_int slen, dlen;
+	u_int32_t rnd[256];
 
 	key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
 	key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
@@ -163,6 +166,9 @@
 	pw = pwcopy(pw);
 
 	SSLeay_add_all_algorithms();
+	for (i = 0; i < 256; i++)
+		rnd[i] = arc4random();
+	RAND_seed(rnd, sizeof(rnd));
 
 	found = 0;
 	for (i = 0; i < 2; i++) {
@@ -172,6 +178,13 @@
 		keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
 		    NULL, NULL);
 		close(key_fd[i]);
+		if (keys[i] != NULL && keys[i]->type == KEY_RSA) {
+			if (RSA_blinding_on(keys[i]->rsa, NULL) != 1) {
+				error("RSA_blinding_on failed");
+				key_free(keys[i]);
+				keys[i] = NULL;
+			}
+		}
 		if (keys[i] != NULL)
 			found = 1;
 	}